Access Governance Leads To Information Security

While identity and access management (IAM) is important in every industry, it is particularly important in the legal profession. This is readily apparent because it is commonly known how sensitive the information that they handle is. Not only do they want to keep this information safe for their own personal business reasons, but they also have to meet very strict government requirements when it comes to securing client information.

One of the most common is the attorney client privilege that secures the correspondences between a client and their lawyer. There are also other regulations they need to meet, though, depending on the case. For example, when dealing with cases that involve medical information, law firms need to also follow HIPPA guidelines, such as ensuring that medical information is secured with proper encryption and password policies. “Firms must have methodologies for preventing, detecting, containing and correcting security violations.” [1]

WHY IS THIS DIFFICULT IN THE LAW INDUSTRY?

Ensuring security can be somewhat difficult since a law office usually has several different types of employees employed — from the office manager to a legal secretary, paralegal or even an intern, not to mention attorneys. All of these people need different access rights in the network. With the frequent movement of these types of employees, it can be difficult and time consuming to deal with their accounts and access, while still ensuring they only have access to what they should.

Another common account issue is that firms often work with temporary employees, such as specialists on cases, who may need access to specific systems that the firm uses. The firm needs to ensure that these accounts are created correctly and then disabled as soon as the person is no longer consulting with the firm. Sometimes, with larger cases, the firm might also need to share files and information with other firms who are assisting. In this case also, temporary access might need to be created.

HOW CAN THIS BE ACCOMPLISHED ECONOMICALLY FOR A SMALL LAW FIRM?

Many identity and access management vendors allow customers to easily customize their solution to exactly what is required, so they don’t have to implement a huge enterprise solution like larger, multi-national organizations would.

Law firms can pick and choose exactly which modules of an IAM solution they would need, to ensure security and efficiency. For the issues listed above, an automated account management solution would help greatly. A manager can easily add the employee to the HR system and automatically create accounts for the new employee in all systems and applications that they need. They can also generate a report to easily see who has access rights to which systems, and make corrections if needed, to ensure, for example, that an intern doesn’t accidentally have access to secure client data.

A date can even be set for temporary employees or consultants so that when their contract ends, their account is automatically disabled. Then, when the employee is no longer with the law firm, their account only needs to be disabled in the source system and all of their connected accounts are automatically disabled.

The organization can go one step further and also use an access governance solution. Access governance ensures that each employee within the organization has the correct access rights to the exact resources that they need, so that an employee does not accidentally receive access to an application that they should not. For example, say an intern, let’s call him Mike, starts at the company and eventually moves up the ranks to a full-time lawyer, over time receiving additional access rights for his new role. Then a new intern is hired to replace him, and the manager assumes it would be easy to just copy Mike’s access rights for the new hire. The new intern accidentally has access rights to secure applications to which they should not.

With access governance, the firm sets up a model of exactly which access rights each role in the organization should have. For example, someone working as a senior lawyer will need certain access rights to systems, applications and resources. By utilizing access governance, it can be ensured that when the account is created, it is done so without accidentally making any access mistakes; either giving the employee too many rights or too little rights. It ensures that the employee receives exactly the correct rights that they need and in a timely manner.

All of these measures not only ensure that the law firm ensures security it also guarantees that everyone has the correct access rights to be efficient. Many law firms have found these solutions to be successful for them because they are able to implement exactly what is required for their issues without taking on a huge IAM project.